module Fog
  module Compute
    class AWS
      class Real
        require 'fog/aws/parsers/compute/basic'

        # Delete a security group that you own
        #
        # ==== Parameters
        # * group_name<~String> - Name of the security group, must be nil if id is specified
        # * group_id<~String> - Id of the security group, must be nil if name is specified
        #
        # ==== Returns
        # * response<~Excon::Response>:
        #   * body<~Hash>:
        #     * 'requestId'<~String> - Id of request
        #     * 'return'<~Boolean> - success?
        #
        # {Amazon API Reference}[http://docs.amazonwebservices.com/AWSEC2/latest/APIReference/ApiReference-query-DeleteSecurityGroup.html]
        def delete_security_group(name, id = nil)
          if name && id
            raise Fog::Compute::AWS::Error.new("May not specify both group_name and group_id")
          end
          if name
            type_id    = 'GroupName'
            identifier = name
          else
            type_id    = 'GroupId'
            identifier = id
          end
          request(
            'Action'    => 'DeleteSecurityGroup',
            type_id     => identifier,
            :idempotent => true,
            :parser     => Fog::Parsers::Compute::AWS::Basic.new
          )
        end
      end

      class Mock
        def delete_security_group(name, id = nil)
          if name == 'default'
            raise Fog::Compute::AWS::Error.new("InvalidGroup.Reserved => The security group 'default' is reserved")
          end

          if name && id
            raise Fog::Compute::AWS::Error.new("May not specify both group_name and group_id")
          end

          if id
            name = self.data[:security_groups].reject { |k,v| v['groupId'] != id } .keys.first
          end

          unless self.data[:security_groups][name]
            raise Fog::Compute::AWS::NotFound.new("The security group '#{name}' does not exist")
          end

          response = Excon::Response.new

          used_by_groups = []

          # ec2 authorizations
          self.region_data.each do |_, key_data|
            key_data[:security_groups].each do |group_name, group|
              next if group == self.data[:security_groups][name]

              group['ipPermissions'].each do |group_ip_permission|
                group_ip_permission['groups'].each do |group_group_permission|
                  if group_group_permission['groupName'] == name &&
                      group_group_permission['userId'] == self.data[:owner_id]
                    used_by_groups << "#{key_data[:owner_id]}:#{group_name}"
                  end
                end
              end
            end
          end

          # rds authorizations
          Fog::AWS::RDS::Mock.data[self.region].each do |_, data|
            (data[:security_groups] || []).each do |group_name, group|
              (group["EC2SecurityGroups"] || []).each do |ec2_group|
                if ec2_group["EC2SecurityGroupName"] == name
                  used_by_groups << "#{group["OwnerId"]}:#{group_name}"
                end
              end
            end
          end

          active_instances = self.data[:instances].values.select do |instance|
            if instance['groupSet'].include?(name) && instance['instanceState'] != "terminated"
              instance
            end
          end

          unless used_by_groups.empty?
            raise Fog::Compute::AWS::Error.new("InvalidGroup.InUse => Group #{self.data[:owner_id]}:#{name} is used by groups: #{used_by_groups.uniq.join(" ")}")
          end

          if active_instances.any?
            raise Fog::Compute::AWS::Error.new("InUse => There are active instances using security group '#{name}'")
          end

          self.data[:security_groups].delete(name)
          response.status = 200
          response.body = {
            'requestId' => Fog::AWS::Mock.request_id,
            'return'    => true
          }
          response
        end
      end
    end
  end
end
